Operating System Diversification


Malware, or malicious software, is one of the main problems in the Internet today. Malicious software uses prior knowledge about the identical interfaces of operating systems to accomplish its goals. To access resources on a computer, a malicious program has to know the interface that provides the resources. Because of the current operating system monoculture, an adversary can create a single malicious program that works on hundreds of millions of computers that use the same operating system.

As the number of malicious programs keeps growing and new variants keep popping up, traditional fingerprint-based antivirus software is becoming increasingly inefficient in the fight against malicious programs. Also, antivirus programs often only detect the threats they are already aware of. Therefore, new approaches to malware prevention are needed to complement them. Diversification adopts a proactive view by preventing malicious code from harmfully interacting with its environment even before it is executed.


Our goal is to provide protection to applications and software systems in a new way: we attempt to diversify the implementations of all software layers and their interfaces on the binary level. The system call interface of the operating system that can be used to access resources is diversified uniquely for each system and all the entry points to this interface are diversified accordingly.

In such a system malware that uses prior knowledge about existing interfaces in an operating system is rendered useless because of diversification. It can no longer use the resources of the system. Only trusted applications that are diversified will work in the system. Also, even if the malware were to find out the secret diversification for one system, it cannot perform any large-scale attacks because the diversification is unique for each system.

Publications

Funding information

OSDIV

Contact

SwEng